A penetration test, sometimes referred to as a pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders (who do not have an authorized means of accessing the organization’s systems), and malicious insiders (who have some level of authorized access). The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities.

Penetration tests are valuable for several reasons:

Determining the feasibility of a particular set of attack vectors

Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence

Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software

Assessing the magnitude of potential business and operational impacts of successful attacks

Testing the ability of network defenders to successfully detect and respond to the attacks

Providing evidence to support increased investments in security personnel and technology

At NBG Networks, we conduct Penetration Tests on a customized per client basis. We strongly suggest that you know what you’re getting into before you pay anyone for a pentest. Pentests can be done in many different ways with varying degrees of benefit to your business. Recently, many security companies have started conducting what we consider a Vulnerability Assessment followed by running the results through an automated attack tool. The results of such a test are not very valuable since they don’t resemble a real attack.

Much higher value to your business is extracted by conducting goal oriented pentests or by simulating advanced persistent threats or hacktivisim type attackers. These types of tests will effectively demonstrate how well your security team and products are functioning. Goals frequently include items such as change this record in our database, persist in our environment for X number of hours/days/weeks, exfiltrate large amounts of data in a manor consistent with an intellectual property thief. Goals may also be as simple as read the CEO’s email, access an administrators workstation, etc. By identifying goals before the test begins, NBG Networks provides more benefit with less expense.Do’s and Dont’s of PenTests

Don’t leave important servers or services out of the scoping call, real attackers won’t leave them out either.

Do assign a contact at your organization that is aware of what data really matters to your business.

Don’t alert the entire security and network staff that a test will be conducted. This is a common mistake and doesn’t accurately portray what will happen with a real threat.

Don’t assume a one-week engagement will fully simulate any type of Advanced Persistent Threat. One week is not very persistent..